def test_valid_token(self):
config = self.config
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('now authenticated with MFA via Okta API', last_error)
def test_valid_token(self):
config = self.config
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('now authenticated with MFA via Okta API', last_error)
def test_connect_to_example_with_good_pin(self):
config = self.config
config['assert_pinset'] = [self.herokuapp_dot_com_pin]
okta = OktaAPIAuth(**config)
result = okta.preauth()
self.assertIn('status', result)
self.assertEquals(result['status'], 'MFA_REQUIRED')
def test_user_agent_set(self):
config = self.config
okta = OktaAPIAuth(**config)
okta.pool = MagicMock()
class Urlopen_Mock:
data = '{}'
okta.pool.urlopen.return_value = Urlopen_Mock()
user_agent = 'user-agent'
# http://www.ietf.org/rfc/rfc2616.txt
# OktaOpenVPN/1.0.0 (Darwin 13.4.0) CPython/2.7.1
okta.preauth()
args = okta.pool.urlopen.call_args_list
headers = args[0][1]['headers']
self.assertIn(user_agent, headers)
actual = headers[user_agent]
import platform
system = platform.uname()[0]
system_version = platform.uname()[2]
python_version = "{}/{}".format(
platform.python_implementation(),
platform.python_version(),
)
for expected in ['OktaOpenVPN/',
system, system_version, python_version]:
self.assertIn(expected, actual)
def test_user_agent_set(self):
config = self.config
okta = OktaAPIAuth(**config)
okta.pool = MagicMock()
class Urlopen_Mock:
data = '{}'
okta.pool.urlopen.return_value = Urlopen_Mock()
user_agent = 'user-agent'
# http://www.ietf.org/rfc/rfc2616.txt
# OktaOpenVPN/1.0.0 (Darwin 13.4.0) CPython/2.7.1
okta.preauth()
args = okta.pool.urlopen.call_args_list
headers = args[0][1]['headers']
self.assertIn(user_agent, headers)
actual = headers[user_agent]
import platform
system = platform.uname()[0]
system_version = platform.uname()[2]
python_version = "{}/{}".format(
platform.python_implementation(),
platform.python_version(),
)
for expected in [
'OktaOpenVPN/', system, system_version, python_version
]:
self.assertIn(expected, actual)
def test_connect_to_example_with_good_pin(self):
config = self.config
config['assert_pinset'] = [self.herokuapp_dot_com_pin]
okta = OktaAPIAuth(**config)
result = okta.preauth()
self.assertIn('status', result)
self.assertEquals(result['status'], 'MFA_REQUIRED')
def test_connect_to_okta_with_good_pins(self):
config = self.config
config['okta_url'] = 'https://example.okta.com'
okta = OktaAPIAuth(**config)
result = okta.preauth()
# This is what we'll get since we're sending an invalid token:
self.assertIn('errorSummary', result)
self.assertEquals(result['errorSummary'], 'Invalid token provided')
def test_invalid_url(self):
config = self.config
config['okta_url'] = 'http://127.0.0.1:86753'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['error'][-1:][0]
self.assertIn('Error connecting to the Okta API', last_error)
def test_invalid_no_token(self):
config = self.config
config['password'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('No second factor found for username', last_error)
def test_password_None(self):
config = self.config
config['password'] = None
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('Missing username or password', last_error)
def test_password_expired(self):
config = self.config
config['username'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is not allowed to authenticate', last_error)
def test_invalid_token(self):
config = self.config
config['password'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['debug'][-1:][0]
self.assertIn('MFA token authentication failed', last_error)
def test_connect_to_okta_with_good_pins(self):
config = self.config
config['okta_url'] = 'https://example.okta.com'
okta = OktaAPIAuth(**config)
result = okta.preauth()
# This is what we'll get since we're sending an invalid token:
self.assertIn('errorSummary', result)
self.assertEquals(result['errorSummary'], 'Invalid token provided')
def test_valid_user_must_enroll_mfa(self):
config = self.config
config['username'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('needs to enroll first', last_error)
def test_password_None(self):
config = self.config
config['password'] = None
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('Missing username or password', last_error)
def test_invalid_url(self):
config = self.config
config['okta_url'] = 'http://127.0.0.1:86753'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['error'][-1:][0]
self.assertIn('Error connecting to the Okta API', last_error)
def test_password_expired(self):
config = self.config
config['username'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is not allowed to authenticate', last_error)
def test_invalid_no_token(self):
config = self.config
config['password'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('No second factor found for username', last_error)
def test_invalid_token(self):
config = self.config
config['password'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['debug'][-1:][0]
self.assertIn('MFA token authentication failed', last_error)
def test_valid_user_must_enroll_mfa(self):
config = self.config
config['username'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('needs to enroll first', last_error)
def test_valid_user_no_mfa(self):
config = self.config
config['username'] = '******'
config['password'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('authenticated without MFA', last_error)
def test_valid_user_no_mfa(self):
config = self.config
config['username'] = '******'
config['password'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('authenticated without MFA', last_error)
def test_invalid_password(self):
config = self.config
config['username'] = '******'
config['password'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
expected = 'pre-authentication failed: Authentication failed'
self.assertIn(expected, last_error)
def test_invalid_password(self):
config = self.config
config['username'] = '******'
config['password'] = '******'
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['info'][-1:][0]
expected = 'pre-authentication failed: Authentication failed'
self.assertIn(expected, last_error)
def test_unexpected_error(self):
config = self.config
okta = OktaAPIAuth(**config)
def doauth_fail(a, b):
raise Exception('Mocked exception')
okta.doauth = doauth_fail
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['error'][-1:][0]
self.assertIn('Unexpected error with the Okta API', last_error)
def test_unexpected_error(self):
config = self.config
okta = OktaAPIAuth(**config)
def doauth_fail(a, b):
raise Exception('Mocked exception')
okta.doauth = doauth_fail
auth = okta.auth()
self.assertEquals(auth, False)
last_error = self.okta_log_messages['error'][-1:][0]
self.assertIn('Unexpected error with the Okta API', last_error)
def test_okta_url_cleaned(self):
config = self.config
url_with_trailing_slash = "{}/".format(self.okta_url)
config['okta_url'] = url_with_trailing_slash
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, True)
url_with_path = "{}/api/v1".format(self.okta_url)
config['okta_url'] = url_with_path
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, True)
def test_bad_pin_log_message(self):
config = self.config
config['assert_pinset'] = ['not-a-sha256']
okta = OktaAPIAuth(**config)
self.assertRaises(PinError, okta.preauth)
last_error = self.okta_log_messages['critical'][-1:][0]
messages = [
'efusing to authenticate',
'mocked-okta-api.herokuapp.com',
'TLS public key pinning check',
'lease contact [email protected]',
]
for msg in messages:
self.assertIn(msg, last_error)
def test_okta_url_cleaned(self):
config = self.config
url_with_trailing_slash = "{}/".format(self.okta_url)
config['okta_url'] = url_with_trailing_slash
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, True)
url_with_path = "{}/api/v1".format(self.okta_url)
config['okta_url'] = url_with_path
okta = OktaAPIAuth(**config)
auth = okta.auth()
self.assertEquals(auth, True)
def test_connect_to_example_with_bad_pin(self):
config = self.config
config['assert_pinset'] = ['not-a-sha256']
okta = OktaAPIAuth(**config)
self.assertRaises(PinError, okta.preauth)
def test_connect_to_unencrypted_server(self):
config = self.config
config['okta_url'] = 'http://example.com'
okta = OktaAPIAuth(**config)
self.assertRaises(urllib3.exceptions.PoolError, okta.preauth)
def test_connect_to_encrypted_but_unintended_server(self):
config = self.config
config['okta_url'] = 'https://example.com'
okta = OktaAPIAuth(**config)
self.assertRaises(PinError, okta.preauth)
